SSL Exceptions while using CLI add-ons

Owned by Pankaj Goel (Inactive) (Deactivated)
Last updated: Feb 06, 2020 by Michael Kuhl
2 min read

Symptoms

When using CLI actions, the following exception is found:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
AxisFault
 faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
 faultSubcode:
 faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 faultActor:
 faultNode:
 faultDetail:
    {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
    at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
    at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404)
    at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
    at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
    at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
    at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
    at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
    at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
    at org.apache.axis.client.Call.invoke(Call.java:2767)
    at org.apache.axis.client.Call.invoke(Call.java:2443)
    at org.apache.axis.client.Call.invoke(Call.java:2366)
    at org.apache.axis.client.Call.invoke(Call.java:1812)
    at org.swift.common.soap.confluence.ConfluenceserviceV2SoapBindingStub.login(ConfluenceserviceV2SoapBindingStub.java:4821)

Cause

Whenever CLI clients connect to target application over SSL (e.g.: HTTPS), it needs to trust the application. The way trust is handled in the Java/JDK is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts) that contains a list of all the known CA certificates and Java will only trust certificates that are signed by those CA certificate or public certificates that exist within that keystore. This is also called truststore.

An example of a untrusted server certificate is when the target application is using a self-signed certificate.

Resolution

To resolve this, the public certificate (matching the domain name of the target application) needs to be imported in the Java keystore including chain of certificates, if any:

  1. Make sure you have imported your certificates into the truststore. (typically $JAVA_HOME/lib/security/cacerts)
  2. Make sure any certificates have been imported into the correct truststore in case you have multiple JDKs.. Try 'echo %JAVA_HOME%' (Windows) or 'echo $JAVA_HOME' (Linux)
  3. Check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS, if it does, this feature should be disabled.


The actual commands to import the certificates into the truststore may vary depending on the type of Certificates (e.g. PEM, DER, PKCS12) and the way certificates were generated (using openssl or java keytool).

Here is one example, your situation may be different. This uses Java's keytool:

sudo keytool -import -v -trustcacerts --alias myjira -file my-certificate.txt -keystore $JAVA_HOME/jre/lib/security/cacerts

References